Win2k server and ISA 2004

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

We have 2 domain controllers serving about 25 winXP pc's (with SMS 2003 on
one of the dc's), and I am making plans to install ISA 2004 on the 2
servers. I'd like to lock down the dc's so that any traffic outside of
normal domain controller duties, will get blocked from both internal and
external network.

Can someone point me to hopefully a list of services to allow and which
ports to leave open so that the dc functions normally? I've looked through
microsoft's ISA webpage, but haven't had much success so far.

On DC-1, we have DNS, DHCP, Active Directory, and IIS running
On DC-2, we have SMS, Active Directory, and IIS running

thanks in advance,
panpan
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If that is the only reason you are installing ISA on your domain
controllers, that is pretty much overkill. Microsoft provides the Windows
2003 Server Security Guide as a free download and it details on how to use
ipsec "filtering" using rules with permit/block filter actions to control
traffic to and from domain controllers or other servers based on source and
destination IP addresses and installed services. Ipsec would not however be
the ideal solution as an internet firewall and is not intended as such but
behind a perimeter firewall can provide extra security via a packet
filtering type firewall implementation. The link below is for the Windows
2003 Server Security Guide.

http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 -- Windows
server port requirements.

"Pan Pan" <panpan@panpan.com> wrote in message
news:cp2fq3$f8q$1@newsmaster.cc.columbia.edu...
> Hi,
>
> We have 2 domain controllers serving about 25 winXP pc's (with SMS 2003 on
> one of the dc's), and I am making plans to install ISA 2004 on the 2
> servers. I'd like to lock down the dc's so that any traffic outside of
> normal domain controller duties, will get blocked from both internal and
> external network.
>
> Can someone point me to hopefully a list of services to allow and which
> ports to leave open so that the dc functions normally? I've looked
> through microsoft's ISA webpage, but haven't had much success so far.
>
> On DC-1, we have DNS, DHCP, Active Directory, and IIS running
> On DC-2, we have SMS, Active Directory, and IIS running
>
> thanks in advance,
> panpan
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Positioning an ISA Server between member


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:C37td.148941$V41.135442@attbi_s52...
> If that is the only reason you are installing ISA on your domain
> controllers, that is pretty much overkill. Microsoft provides the Windows
> 2003 Server Security Guide as a free download and it details on how to use
> ipsec "filtering" using rules with permit/block filter actions to control
> traffic to and from domain controllers or other servers based on source
> and destination IP addresses and installed services. Ipsec would not
> however be the ideal solution as an internet firewall and is not intended
> as such but behind a perimeter firewall can provide extra security via a
> packet filtering type firewall implementation. The link below is for the
> Windows 2003 Server Security Guide.
>
> http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx
> http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 --
> Windows server port requirements.
>
> "Pan Pan" <panpan@panpan.com> wrote in message
> news:cp2fq3$f8q$1@newsmaster.cc.columbia.edu...
>> Hi,
>>
>> We have 2 domain controllers serving about 25 winXP pc's (with SMS 2003
>> on one of the dc's), and I am making plans to install ISA 2004 on the 2
>> servers. I'd like to lock down the dc's so that any traffic outside of
>> normal domain controller duties, will get blocked from both internal and
>> external network.
>>
>> Can someone point me to hopefully a list of services to allow and which
>> ports to leave open so that the dc functions normally? I've looked
>> through microsoft's ISA webpage, but haven't had much success so far.
>>
>> On DC-1, we have DNS, DHCP, Active Directory, and IIS running
>> On DC-2, we have SMS, Active Directory, and IIS running
>>
>> thanks in advance,
>> panpan
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Positioning ISA Server between members and domain controllers is an
unsupported scenario. There is no need for this. If you want to block all
non-DC traffic from entering a domain controller, IPsec block/allow filters
are the right approach. See the paper "Active Directory in segmented
networks" for more details.

Steve Riley
steriley@microsoft.com



"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:C37td.148941$V41.135442@attbi_s52...
> If that is the only reason you are installing ISA on your domain
> controllers, that is pretty much overkill. Microsoft provides the Windows
> 2003 Server Security Guide as a free download and it details on how to use
> ipsec "filtering" using rules with permit/block filter actions to control
> traffic to and from domain controllers or other servers based on source
> and destination IP addresses and installed services. Ipsec would not
> however be the ideal solution as an internet firewall and is not intended
> as such but behind a perimeter firewall can provide extra security via a
> packet filtering type firewall implementation. The link below is for the
> Windows 2003 Server Security Guide.
>
> http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx
> http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 --
> Windows server port requirements.
>
> "Pan Pan" <panpan@panpan.com> wrote in message
> news:cp2fq3$f8q$1@newsmaster.cc.columbia.edu...
>> Hi,
>>
>> We have 2 domain controllers serving about 25 winXP pc's (with SMS 2003
>> on one of the dc's), and I am making plans to install ISA 2004 on the 2
>> servers. I'd like to lock down the dc's so that any traffic outside of
>> normal domain controller duties, will get blocked from both internal and
>> external network.
>>
>> Can someone point me to hopefully a list of services to allow and which
>> ports to leave open so that the dc functions normally? I've looked
>> through microsoft's ISA webpage, but haven't had much success so far.
>>
>> On DC-1, we have DNS, DHCP, Active Directory, and IIS running
>> On DC-2, we have SMS, Active Directory, and IIS running
>>
>> thanks in advance,
>> panpan
>>
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom